From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 65B9FC77B7C for ; Sat, 13 May 2023 09:34:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237424AbjEMJed (ORCPT ); Sat, 13 May 2023 05:34:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38976 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231736AbjEMJea (ORCPT ); Sat, 13 May 2023 05:34:30 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A885BE63 for ; Sat, 13 May 2023 02:34:29 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 3B17760DF8 for ; Sat, 13 May 2023 09:34:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7C887C433EF; Sat, 13 May 2023 09:34:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1683970468; bh=bTlCpUA7NjNdRUsAWNc+glm1Q0qG6jscwIK4xu6wTNM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=HP3j7Yin5lhCTSdKABhJJuJv2YmWMGVMAEpfHETYHpW5minkKV3HigOG2yBZwswVp BZY/CKyIDABImMLjSrFyh0fxlVop0FHX/+JE45oojKBBWt7gp/Jj6kjHgwRXatUjsi g/yOo717mMouNClQKaR3waLqJOqE7GuGkHVviYFQ= Date: Sat, 13 May 2023 18:33:22 +0900 From: Greg KH To: Xia Fukun Cc: prajnoha@redhat.com, linux-kernel@vger.kernel.org Subject: Re: [PATCH v4] kobject: Fix global-out-of-bounds in kobject_action_type() Message-ID: <2023051308-line-curable-6d76@gregkh> References: <20230512103029.183852-1-xiafukun@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230512103029.183852-1-xiafukun@huawei.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 12, 2023 at 06:30:29PM +0800, Xia Fukun wrote: > The following c language code can trigger KASAN's global variable > out-of-bounds access error in kobject_action_type(): > > int main() { > int fd; > char *filename = "/sys/block/ram12/uevent"; > char str[86] = "offline"; > int len = 86; > > fd = open(filename, O_WRONLY); > if (fd == -1) { > printf("open"); > exit(1); > } > > if (write(fd, str, len) == -1) { > printf("write"); > exit(1); > } > > close(fd); > return 0; > } > > Function kobject_action_type() receives the input parameters buf and count, > where count is the length of the string buf. > > In the use case we provided, count is 86, the count_first is 85. > Buf points to a string with a length of 86, and its first seven > characters are "offline". > In line 87 of the code, kobject_actions[action] is the string "offline" > with the length of 7,an out-of-boundary access will appear: > > kobject_actions[action][85]. > > Use sysfs_match_string() to replace the fragile and convoluted loop. > This function is well-tested for parsing sysfs inputs. Moreover, this > modification will not cause any functional changes. > > Fixes: f36776fafbaa ("kobject: support passing in variables for synthetic uevents") > Signed-off-by: Xia Fukun > --- > v3 -> v4: > - refactor the function to be more obviously correct and readable How did you test this as it does not even build? confused, greg k-h